Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

UMONITOR AND VX2 PROBLEM [resolved]

Started by pedroparra , Feb 19 2005 03:58 AM

This topic is locked

#1
pedroparra

Posted 19 February 2005 - 03:58 AM

Member

Member
15 posts

Hi I think that I have UMONITOR/VX2 SPYWARE in my computer. When the computer starts I get this error:

C:\WINDOWS\SYSTEM32\WKIPROP.DLL, [UMONITOR]

also, a lot of web pages opens alone without user interaction. I have used varios spyware programs but the problem dont fix. They detect VX2 spyware but they cant delete it.

Here you have the Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 10:58:34, on 19/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\r_server.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
C:\Archivos de programa\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\userinit.exe
Z:\DPTO CONTABLE\JUANJO\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.invertia.es/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = juanjimenez.local
O17 - HKLM\Software\..\Telephony: DomainName = juanjimenez.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{235C9D9F-C331-4F26-AB22-E40AEF25F293}: NameServer = 192.168.0.103,192.168.0.177,192.168.0.177
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = juanjimenez.local
O21 - SSODL: EEESzNQSq - {AC17DC34-06BD-769E-35C3-0AA89FA1F0EC} - C:\WINDOWS\System32\kadf.dll
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Servicio de registro de McAfee - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Visibroker Activation Daemon - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\oad.exe
O23 - Service: VisiBroker Smart Agent - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\osagent.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

Please help!!!
Pedro Rodriguez
System administrator

#2
Guest_thatman_*

Posted 22 February 2005 - 11:32 AM

Guest

Hi pedroparra

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Kc :tazz:

#3
pedroparra

Posted 23 February 2005 - 01:45 AM

Member

Topic Starter
Member
15 posts

Thank you for your help. May be God with you!
Here you have the log you requested:

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j6l40g3qe6.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{61B17FA5-0CBE-4BA9-8944-7135C15ACEFA}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Hoja de propiedades de archivos multimedia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Administraci¢n de esc ner ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguridad NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propiedades del archivo de documentos OLE"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del adaptador de pantalla"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del monitor de pantalla"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n de paneo de pantalla del Panel de control"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguridad DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidad"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extensi¢n de copia de discos"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensiones del shell para objetos de la red de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Administraci¢n de monitor ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Administraci¢n de impresora ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensiones del shell para compresi¢n de archivos"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extensi¢n del shell de impresora en Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Men£ de contexto de cifrado"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Malet¡n"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extensi¢n de icono de HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fuentes"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil de ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguridad de impresoras"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n PKO cifrada"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n de firma cifrada"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexiones de red"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexiones de red"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&C maras y esc neres"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&C maras y esc neres"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&C maras y esc neres"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&C maras y esc neres"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&C maras y esc neres"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensiones del shell para Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="V¡nculos a datos de Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tareas programadas"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tareas y men£ Inicio"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Buscar"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ejecutar..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Correo electr¢nico"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fuentes"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Herramientas administrativas"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de herramientas de Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Estado de la descarga"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Carpeta Shell aumentada"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Carpeta 2 Shell aumentada"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Banda del explorador de Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Banda de b£squeda"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Banda multimedia"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="B£squeda en panel"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="B£squeda Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilidad de opciones del rbol de Registro"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Direcci¢n"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Cuadro de la direcci¢n"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Autocompletar de Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista autocompleta MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista autocompleta MRU personalizada"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra de progreso emergente"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analizador de Barra de direcciones"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista autocompleta de la historia de Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista autocompleta de la carpeta Shell de Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Contenedor de la Lista m£ltiple de Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Men£ de sitio de bandas Shell"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barra de escritorio Shell"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Asistencia al usuario"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configuraci¢n de carpeta global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servicio de Historial de las direcciones URL de Microsoft"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historial"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Hook de b£squeda de direcciones URL de Microsoft"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Pantalla de bienvenida de IE4 Suite"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Banda de Explorador"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Carpeta del cach‚ de ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Carpeta de suscripciones"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Administrador de aplicaciones de Shell"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicaciones instaladas"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extractor de vistas en miniatura de archivos GDI+"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Controlador de la informaci¢n de resumen para vistas en miniatura (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extractor de vistas en miniatura HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Asistente para la publicaci¢n en Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impresiones v¡a web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto de Asistente de publicaci¢n de shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Asistente para obtener pasaporte"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Cuentas de usuario"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Archivo de canal"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Acceso directo al canal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto de control de canal"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Carpeta de archivos sin conexi¢n"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personas..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Carpetas Web"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}"="OfficeScan NT"
"{0C714C3B-9F76-475D-B204-A1365A741CEC}"=""
"{735F81BE-696F-487D-BE2B-4D921D041B56}"=""
"{ABF62687-EF3B-4E3A-8EE7-C70D8DA64329}"=""
"{93856640-57B3-4136-BC01-8639F8A8BADC}"=""
"{6D470E87-8456-48C3-B227-8F956BBDE622}"=""
"{4BE4F082-3C71-4560-994A-733E7AB4120C}"=""
"{90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A}"=""
"{FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD}"=""
"{0B499D84-D699-4DDC-A63A-FF29B61775CD}"=""
"{59BAEC8E-5105-42E8-BE7A-9F09FCB803E5}"=""
"{8AD38516-7A8D-413A-951F-7392C76AE3EB}"=""
"{374099A8-519F-4F1F-AB1D-15D8C3F3E6B3}"=""
"{2C892947-8FFB-45DA-8776-6A7953AA98A0}"=""
"{E3045A09-0C32-4A8E-826A-8EA03C907F3E}"=""
"{3A423D6D-DFD2-4198-865A-DA9479026D42}"=""
"{9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161}"=""
"{DA77A6DF-49CE-4883-912F-FB043129F848}"=""
"{9C2A7011-8EF2-4D39-B231-C7323D3F7880}"=""
"{C111F5CF-EAA2-45C6-841E-ABF59E03F30C}"=""
"{1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC}"=""
"{7DB18F18-2D21-4EB5-9658-137783C6FE74}"=""
"{4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD}"=""
"{45B8CBF4-E951-44E9-9687-C477655BF6D9}"=""
"{71286F54-C320-4ABA-B38A-0F1E70CDD19E}"=""
"{6064822C-612D-4150-B22C-061496D8221E}"=""
"{E0221FE9-4BF3-41F7-8474-2FAE7439655F}"=""
"{4BF05F5D-EE45-48C0-AC42-5C3FC9F00933}"=""
"{BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E}"=""
"{69BC8D43-FB74-4D6F-A489-9F795DAFF9D7}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0C714C3B-9F76-475D-B204-A1365A741CEC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C714C3B-9F76-475D-B204-A1365A741CEC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C714C3B-9F76-475D-B204-A1365A741CEC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C714C3B-9F76-475D-B204-A1365A741CEC}\InprocServer32]
@="C:\\WINDOWS\\system32\\MXSTKPRP.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{735F81BE-696F-487D-BE2B-4D921D041B56}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{735F81BE-696F-487D-BE2B-4D921D041B56}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{735F81BE-696F-487D-BE2B-4D921D041B56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{735F81BE-696F-487D-BE2B-4D921D041B56}\InprocServer32]
@="C:\\WINDOWS\\system32\\zdpfldr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ABF62687-EF3B-4E3A-8EE7-C70D8DA64329}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABF62687-EF3B-4E3A-8EE7-C70D8DA64329}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABF62687-EF3B-4E3A-8EE7-C70D8DA64329}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABF62687-EF3B-4E3A-8EE7-C70D8DA64329}\InprocServer32]
@="C:\\WINDOWS\\system32\\pPt5does.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{93856640-57B3-4136-BC01-8639F8A8BADC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93856640-57B3-4136-BC01-8639F8A8BADC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93856640-57B3-4136-BC01-8639F8A8BADC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{93856640-57B3-4136-BC01-8639F8A8BADC}\InprocServer32]
@="C:\\WINDOWS\\system32\\nlvdmd.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6D470E87-8456-48C3-B227-8F956BBDE622}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D470E87-8456-48C3-B227-8F956BBDE622}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D470E87-8456-48C3-B227-8F956BBDE622}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6D470E87-8456-48C3-B227-8F956BBDE622}\InprocServer32]
@="C:\\WINDOWS\\system32\\fnifs.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4BE4F082-3C71-4560-994A-733E7AB4120C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BE4F082-3C71-4560-994A-733E7AB4120C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BE4F082-3C71-4560-994A-733E7AB4120C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BE4F082-3C71-4560-994A-733E7AB4120C}\InprocServer32]
@="C:\\WINDOWS\\system32\\aNaamon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A}\InprocServer32]
@="C:\\WINDOWS\\system32\\fKultrep.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD}\InprocServer32]
@="C:\\WINDOWS\\system32\\cmpaige.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0B499D84-D699-4DDC-A63A-FF29B61775CD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B499D84-D699-4DDC-A63A-FF29B61775CD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B499D84-D699-4DDC-A63A-FF29B61775CD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0B499D84-D699-4DDC-A63A-FF29B61775CD}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{59BAEC8E-5105-42E8-BE7A-9F09FCB803E5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59BAEC8E-5105-42E8-BE7A-9F09FCB803E5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59BAEC8E-5105-42E8-BE7A-9F09FCB803E5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59BAEC8E-5105-42E8-BE7A-9F09FCB803E5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8AD38516-7A8D-413A-951F-7392C76AE3EB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AD38516-7A8D-413A-951F-7392C76AE3EB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AD38516-7A8D-413A-951F-7392C76AE3EB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8AD38516-7A8D-413A-951F-7392C76AE3EB}\InprocServer32]
@="C:\\WINDOWS\\system32\\rxm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{374099A8-519F-4F1F-AB1D-15D8C3F3E6B3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{374099A8-519F-4F1F-AB1D-15D8C3F3E6B3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{374099A8-519F-4F1F-AB1D-15D8C3F3E6B3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{374099A8-519F-4F1F-AB1D-15D8C3F3E6B3}\InprocServer32]
@="C:\\WINDOWS\\system32\\GW2PRCFG.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2C892947-8FFB-45DA-8776-6A7953AA98A0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2C892947-8FFB-45DA-8776-6A7953AA98A0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2C892947-8FFB-45DA-8776-6A7953AA98A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2C892947-8FFB-45DA-8776-6A7953AA98A0}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvjint40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E3045A09-0C32-4A8E-826A-8EA03C907F3E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3045A09-0C32-4A8E-826A-8EA03C907F3E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3045A09-0C32-4A8E-826A-8EA03C907F3E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3045A09-0C32-4A8E-826A-8EA03C907F3E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3A423D6D-DFD2-4198-865A-DA9479026D42}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A423D6D-DFD2-4198-865A-DA9479026D42}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A423D6D-DFD2-4198-865A-DA9479026D42}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3A423D6D-DFD2-4198-865A-DA9479026D42}\InprocServer32]
@="C:\\WINDOWS\\system32\\slxcoins.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DA77A6DF-49CE-4883-912F-FB043129F848}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DA77A6DF-49CE-4883-912F-FB043129F848}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DA77A6DF-49CE-4883-912F-FB043129F848}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DA77A6DF-49CE-4883-912F-FB043129F848}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9C2A7011-8EF2-4D39-B231-C7323D3F7880}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C2A7011-8EF2-4D39-B231-C7323D3F7880}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C2A7011-8EF2-4D39-B231-C7323D3F7880}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C2A7011-8EF2-4D39-B231-C7323D3F7880}\InprocServer32]
@="C:\\WINDOWS\\system32\\rWsman.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C111F5CF-EAA2-45C6-841E-ABF59E03F30C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C111F5CF-EAA2-45C6-841E-ABF59E03F30C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C111F5CF-EAA2-45C6-841E-ABF59E03F30C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C111F5CF-EAA2-45C6-841E-ABF59E03F30C}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7DB18F18-2D21-4EB5-9658-137783C6FE74}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DB18F18-2D21-4EB5-9658-137783C6FE74}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DB18F18-2D21-4EB5-9658-137783C6FE74}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7DB18F18-2D21-4EB5-9658-137783C6FE74}\InprocServer32]
@="C:\\WINDOWS\\system32\\mllbui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD}\InprocServer32]
@="C:\\WINDOWS\\system32\\pgotowiz.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{45B8CBF4-E951-44E9-9687-C477655BF6D9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{45B8CBF4-E951-44E9-9687-C477655BF6D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{45B8CBF4-E951-44E9-9687-C477655BF6D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{45B8CBF4-E951-44E9-9687-C477655BF6D9}\InprocServer32]
@="C:\\WINDOWS\\system32\\mzexcl40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{71286F54-C320-4ABA-B38A-0F1E70CDD19E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71286F54-C320-4ABA-B38A-0F1E70CDD19E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71286F54-C320-4ABA-B38A-0F1E70CDD19E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71286F54-C320-4ABA-B38A-0F1E70CDD19E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6064822C-612D-4150-B22C-061496D8221E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6064822C-612D-4150-B22C-061496D8221E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6064822C-612D-4150-B22C-061496D8221E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6064822C-612D-4150-B22C-061496D8221E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E0221FE9-4BF3-41F7-8474-2FAE7439655F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0221FE9-4BF3-41F7-8474-2FAE7439655F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0221FE9-4BF3-41F7-8474-2FAE7439655F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0221FE9-4BF3-41F7-8474-2FAE7439655F}\InprocServer32]
@="C:\\WINDOWS\\system32\\hZ23msp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4BF05F5D-EE45-48C0-AC42-5C3FC9F00933}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BF05F5D-EE45-48C0-AC42-5C3FC9F00933}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BF05F5D-EE45-48C0-AC42-5C3FC9F00933}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4BF05F5D-EE45-48C0-AC42-5C3FC9F00933}\InprocServer32]
@="C:\\WINDOWS\\system32\\maiole16.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69BC8D43-FB74-4D6F-A489-9F795DAFF9D7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69BC8D43-FB74-4D6F-A489-9F795DAFF9D7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69BC8D43-FB74-4D6F-A489-9F795DAFF9D7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69BC8D43-FB74-4D6F-A489-9F795DAFF9D7}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
cmpaige.dll Thu 27 Jan 2005 16:18:56 A.... 224.441 219,18 K
cnmctl32.dll Thu 27 Jan 2005 17:37:46 A.... 224.441 219,18 K
dn6001~1.dll Mon 31 Jan 2005 9:56:42 ..S.R 224.819 219,55 K
enn6l1~1.dll Wed 26 Jan 2005 8:34:22 ..S.R 224.441 219,18 K
fpl203~1.dll Wed 9 Feb 2005 8:23:32 ..S.R 224.793 219,52 K
fplq03~1.dll Thu 27 Jan 2005 11:50:14 ..S.R 224.441 219,18 K
g204lc~1.dll Wed 19 Jan 2005 8:25:38 ..S.R 224.028 218,78 K
gccoll~1.dll Fri 31 Dec 2004 15:00:00 A.... 134.880 131,72 K
gcmd5q~1.dll Thu 13 Jan 2005 14:03:52 A.... 10.752 10,50 K
gcunco~1.dll Fri 31 Dec 2004 13:14:32 A.... 130.272 127,22 K
gp0ql3~1.dll Fri 31 Dec 2004 8:55:22 ..S.R 222.959 217,73 K
gw2prcfg.dll Thu 27 Jan 2005 17:04:40 A.... 226.031 220,73 K
hashlib.dll Fri 31 Dec 2004 15:00:00 A.... 81.120 79,22 K
hr0205~1.dll Tue 25 Jan 2005 8:48:02 ..S.R 224.441 219,18 K
hrj805~1.dll Tue 25 Jan 2005 13:34:50 ..S.R 224.441 219,18 K
hz23msp.dll Wed 23 Feb 2005 8:31:54 ..... 224.724 219,46 K
i2240c~1.dll Wed 16 Feb 2005 20:12:38 ..S.R 223.206 217,97 K
ir02l5~1.dll Thu 27 Jan 2005 13:54:42 ..S.R 224.159 218,90 K
irj0l5~1.dll Wed 23 Feb 2005 8:22:06 ..S.R 224.724 219,46 K
j0l4la~1.dll Thu 13 Jan 2005 8:34:50 ..S.R 223.997 218,75 K
j6l40g~1.dll Tue 22 Feb 2005 18:52:54 ..S.R 224.724 219,46 K
jt8u07~1.dll Tue 25 Jan 2005 13:37:06 ..S.R 224.441 219,18 K
jtn007~1.dll Thu 13 Jan 2005 9:00:34 ..S.R 222.624 217,41 K
k8800i~1.dll Mon 17 Jan 2005 8:29:38 ..S.R 224.006 218,75 K
kt64l7~1.dll Mon 21 Feb 2005 9:45:32 ..S.R 224.724 219,46 K
ktn8l7~1.dll Fri 28 Jan 2005 8:52:06 ..S.R 224.819 219,55 K
l4n4le~1.dll Tue 22 Feb 2005 18:58:36 ..S.R 224.724 219,46 K
lv4009~1.dll Wed 26 Jan 2005 8:27:38 ..S.R 224.441 219,18 K
lvn609~1.dll Sat 19 Feb 2005 10:29:58 ..S.R 224.724 219,46 K
m664lg~1.dll Fri 28 Jan 2005 15:17:16 ..S.R 226.285 220,98 K
maiole16.dll Sat 12 Feb 2005 8:33:44 A.... 224.560 219,30 K
mllbui.dll Tue 1 Feb 2005 10:33:10 A.... 223.098 217,87 K
mnexch40.dll Sat 12 Feb 2005 9:58:40 ..S.R 225.276 219,99 K
mvjint40.dll Thu 27 Jan 2005 17:34:00 A.... 222.965 217,74 K
mvlsl9~1.dll Mon 7 Feb 2005 19:46:54 ..S.R 223.803 218,55 K
mzexcl40.dll Thu 3 Feb 2005 8:20:08 A.... 223.803 218,55 K
n46qle~1.dll Mon 24 Jan 2005 19:24:38 ..S.R 225.834 220,54 K
o666lg~1.dll Wed 9 Feb 2005 8:29:32 ..S.R 226.226 220,92 K
o6840g~1.dll Tue 18 Jan 2005 8:28:54 ..S.R 222.451 217,23 K
o866li~1.dll Tue 25 Jan 2005 19:35:02 ..S.R 224.441 219,18 K
p4p60e~1.dll Thu 13 Jan 2005 8:41:36 ..S.R 223.241 218,01 K
pgotowiz.dll Wed 2 Feb 2005 8:18:02 A.... 223.638 218,39 K
r28s0c~1.dll Thu 27 Jan 2005 17:40:00 ..S.R 224.441 219,18 K
rwsman.dll Tue 1 Feb 2005 8:24:12 A.... 223.638 218,39 K
slxcoins.dll Thu 27 Jan 2005 19:35:34 A.... 224.819 219,55 K
spmsg.dll Tue 30 Nov 2004 14:29:52 ..... 8.704 8,50 K
sporder.dll Wed 22 Dec 2004 8:36:06 A.... 8.464 8,27 K
user32.dll Wed 29 Dec 2004 2:32:54 A.... 575.488 562,00 K
wy2time.dll Thu 27 Jan 2005 14:56:02 A.... 224.441 219,18 K

49 items found: 49 files (30 H/S), 0 directories.
Total of file sizes: 10.371.953 bytes 9,89 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Wed 23 Feb 2005 8:32:56 A.... 224.724 219,46 K

1 item found: 1 file, 0 directories.
Total of file sizes: 224.724 bytes 219,46 K
**********************************************************************************
Directory Listing of system files:
El volumen de la unidad C es IBM_PRELOAD
El n£mero de serie del volumen es: AC17-DC33

Directorio de C:\WINDOWS\System32

23/02/2005 08:22 224,724 irj0l51m1.dll
22/02/2005 18:58 224,724 l4n4le5q1h.dll
22/02/2005 18:52 224,724 j6l40g3qe6.dll
21/02/2005 09:45 224,724 kt64l7jq1.dll
19/02/2005 10:29 224,724 lvn6095se.dll
16/02/2005 20:12 223,206 i2240cfqef2e0.dll
12/02/2005 09:58 225,276 mnexch40.dll
09/02/2005 08:29 226,226 o666lgjs16o6.dll
09/02/2005 08:23 224,793 fpl2033oe.dll
07/02/2005 19:46 223,803 mvlsl9371.dll
31/01/2005 09:56 224,819 dn6001jme.dll
28/01/2005 15:17 226,285 m664lgjq16oe.dll
28/01/2005 08:52 224,819 ktn8l75u1.dll
27/01/2005 17:39 224,441 r28s0cl7efq.dll
27/01/2005 17:13 <DIR> dllcache
27/01/2005 13:54 224,159 ir02l5do1.dll
27/01/2005 11:50 224,441 fplq0335e.dll
26/01/2005 08:34 224,441 enn6l15s1.dll
26/01/2005 08:27 224,441 lv4009hme.dll
25/01/2005 19:35 224,441 o866lijs18o6.dll
25/01/2005 13:37 224,441 jt8u07l9e.dll
25/01/2005 13:34 224,441 hrj8051ue.dll
25/01/2005 08:48 224,441 hr0205doe.dll
24/01/2005 19:24 225,834 n46qlej51ho.dll
19/01/2005 08:25 224,028 g204lcdq1f0e.dll
18/01/2005 08:28 222,451 o6840glqe6qe0.dll
17/01/2005 08:29 224,006 k8800ilme8qa0.dll
13/01/2005 09:00 222,624 jtn0075me.dll
13/01/2005 08:41 223,241 p4p60e7seh.dll
13/01/2005 08:34 223,997 j0l4la3q1d.dll
31/12/2004 08:55 222,959 gp0ql3d51.dll
27/02/2003 21:52 <DIR> Microsoft
22/02/2001 14:55 13,347 Vfpodbc.txt
07/12/1999 05:00 977,680 vfpodbc.dll
24/04/1998 00:00 203,641 Drvvfp.hlp
24/04/1998 00:00 5,446 Drvvfp.cnt
34 archivos 7,931,788 bytes
2 dirs 23,670,583,296 bytes libres

#4
Guest_thatman_*

Posted 23 February 2005 - 02:32 AM

Guest

Hi pedroparra

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Kc :tazz:

#5
pedroparra

Posted 23 February 2005 - 03:53 AM

Member

Topic Starter
Member
15 posts

Thank you for the quickly reply!

Here you have the log generated by l2mfix. It taked to long! But I think that worked because the message about UMONITOR and the DLL disappeared. Thanks Guy! :tazz:

l2mfix log:

L2Mfix 1.02b

Running From:
C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Todos
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1624 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\cmpaige.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\cnmctl32.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\dn6001jme.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\enn6l15s1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\f2l00c3mef.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\fpl2033oe.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\fplq0335e.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\g204lcdq1f0e.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\gp0ql3d51.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\GW2PRCFG.DLL
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\hr0205doe.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\hrj8051ue.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\i2240cfqef2e0.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\ir02l5do1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\irj0l51m1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\j0l4la3q1d.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\jt8u07l9e.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\jtn0075me.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\k8800ilme8qa0.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\kt64l7jq1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\ktn8l75u1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\l4n4le5q1h.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\lv4009hme.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\lvn6095se.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\m664lgjq16oe.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\maiole16.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mllbui.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mnexch40.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mvjint40.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mvlsl9371.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mzexcl40.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\n46qlej51ho.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\o666lgjs16o6.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\o6840glqe6qe0.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\o866lijs18o6.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\p4p60e7seh.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\pgotowiz.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\r28s0cl7efq.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\rWsman.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\slxcoins.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\wY2time.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 archivos copiados.
deleting: C:\WINDOWS\system32\cmpaige.dll
Successfully Deleted: C:\WINDOWS\system32\cmpaige.dll
deleting: C:\WINDOWS\system32\cnmctl32.dll
Successfully Deleted: C:\WINDOWS\system32\cnmctl32.dll
deleting: C:\WINDOWS\system32\dn6001jme.dll
Successfully Deleted: C:\WINDOWS\system32\dn6001jme.dll
deleting: C:\WINDOWS\system32\enn6l15s1.dll
Successfully Deleted: C:\WINDOWS\system32\enn6l15s1.dll
deleting: C:\WINDOWS\system32\f2l00c3mef.dll
Successfully Deleted: C:\WINDOWS\system32\f2l00c3mef.dll
deleting: C:\WINDOWS\system32\fpl2033oe.dll
Successfully Deleted: C:\WINDOWS\system32\fpl2033oe.dll
deleting: C:\WINDOWS\system32\fplq0335e.dll
Successfully Deleted: C:\WINDOWS\system32\fplq0335e.dll
deleting: C:\WINDOWS\system32\g204lcdq1f0e.dll
Successfully Deleted: C:\WINDOWS\system32\g204lcdq1f0e.dll
deleting: C:\WINDOWS\system32\gp0ql3d51.dll
Successfully Deleted: C:\WINDOWS\system32\gp0ql3d51.dll
deleting: C:\WINDOWS\system32\GW2PRCFG.DLL
Successfully Deleted: C:\WINDOWS\system32\GW2PRCFG.DLL
deleting: C:\WINDOWS\system32\hr0205doe.dll
Successfully Deleted: C:\WINDOWS\system32\hr0205doe.dll
deleting: C:\WINDOWS\system32\hrj8051ue.dll
Successfully Deleted: C:\WINDOWS\system32\hrj8051ue.dll
deleting: C:\WINDOWS\system32\i2240cfqef2e0.dll
Successfully Deleted: C:\WINDOWS\system32\i2240cfqef2e0.dll
deleting: C:\WINDOWS\system32\ir02l5do1.dll
Successfully Deleted: C:\WINDOWS\system32\ir02l5do1.dll
deleting: C:\WINDOWS\system32\irj0l51m1.dll
Successfully Deleted: C:\WINDOWS\system32\irj0l51m1.dll
deleting: C:\WINDOWS\system32\j0l4la3q1d.dll
Successfully Deleted: C:\WINDOWS\system32\j0l4la3q1d.dll
deleting: C:\WINDOWS\system32\jt8u07l9e.dll
Successfully Deleted: C:\WINDOWS\system32\jt8u07l9e.dll
deleting: C:\WINDOWS\system32\jtn0075me.dll
Successfully Deleted: C:\WINDOWS\system32\jtn0075me.dll
deleting: C:\WINDOWS\system32\k8800ilme8qa0.dll
Successfully Deleted: C:\WINDOWS\system32\k8800ilme8qa0.dll
deleting: C:\WINDOWS\system32\kt64l7jq1.dll
Successfully Deleted: C:\WINDOWS\system32\kt64l7jq1.dll
deleting: C:\WINDOWS\system32\ktn8l75u1.dll
Successfully Deleted: C:\WINDOWS\system32\ktn8l75u1.dll
deleting: C:\WINDOWS\system32\l4n4le5q1h.dll
Successfully Deleted: C:\WINDOWS\system32\l4n4le5q1h.dll
deleting: C:\WINDOWS\system32\lv4009hme.dll
Successfully Deleted: C:\WINDOWS\system32\lv4009hme.dll
deleting: C:\WINDOWS\system32\lvn6095se.dll
Successfully Deleted: C:\WINDOWS\system32\lvn6095se.dll
deleting: C:\WINDOWS\system32\m664lgjq16oe.dll
Successfully Deleted: C:\WINDOWS\system32\m664lgjq16oe.dll
deleting: C:\WINDOWS\system32\maiole16.dll
Successfully Deleted: C:\WINDOWS\system32\maiole16.dll
deleting: C:\WINDOWS\system32\mllbui.dll
Successfully Deleted: C:\WINDOWS\system32\mllbui.dll
deleting: C:\WINDOWS\system32\mnexch40.dll
Successfully Deleted: C:\WINDOWS\system32\mnexch40.dll
deleting: C:\WINDOWS\system32\mvjint40.dll
Successfully Deleted: C:\WINDOWS\system32\mvjint40.dll
deleting: C:\WINDOWS\system32\mvlsl9371.dll
Successfully Deleted: C:\WINDOWS\system32\mvlsl9371.dll
deleting: C:\WINDOWS\system32\mzexcl40.dll
Successfully Deleted: C:\WINDOWS\system32\mzexcl40.dll
deleting: C:\WINDOWS\system32\n46qlej51ho.dll
Successfully Deleted: C:\WINDOWS\system32\n46qlej51ho.dll
deleting: C:\WINDOWS\system32\o666lgjs16o6.dll
Successfully Deleted: C:\WINDOWS\system32\o666lgjs16o6.dll
deleting: C:\WINDOWS\system32\o6840glqe6qe0.dll
Successfully Deleted: C:\WINDOWS\system32\o6840glqe6qe0.dll
deleting: C:\WINDOWS\system32\o866lijs18o6.dll
Successfully Deleted: C:\WINDOWS\system32\o866lijs18o6.dll
deleting: C:\WINDOWS\system32\p4p60e7seh.dll
Successfully Deleted: C:\WINDOWS\system32\p4p60e7seh.dll
deleting: C:\WINDOWS\system32\pgotowiz.dll
Successfully Deleted: C:\WINDOWS\system32\pgotowiz.dll
deleting: C:\WINDOWS\system32\r28s0cl7efq.dll
Successfully Deleted: C:\WINDOWS\system32\r28s0cl7efq.dll
deleting: C:\WINDOWS\system32\rWsman.dll
Successfully Deleted: C:\WINDOWS\system32\rWsman.dll
deleting: C:\WINDOWS\system32\slxcoins.dll
Successfully Deleted: C:\WINDOWS\system32\slxcoins.dll
deleting: C:\WINDOWS\system32\wY2time.dll
Successfully Deleted: C:\WINDOWS\system32\wY2time.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: cmpaige.dll (164 bytes security) (deflated 4%)
adding: cnmctl32.dll (164 bytes security) (deflated 4%)
adding: dn6001jme.dll (164 bytes security) (deflated 4%)
adding: enn6l15s1.dll (164 bytes security) (deflated 4%)
adding: f2l00c3mef.dll (164 bytes security) (deflated 4%)
adding: fpl2033oe.dll (164 bytes security) (deflated 4%)
adding: fplq0335e.dll (164 bytes security) (deflated 4%)
adding: g204lcdq1f0e.dll (164 bytes security) (deflated 4%)
adding: gp0ql3d51.dll (164 bytes security) (deflated 3%)
adding: GW2PRCFG.DLL (164 bytes security) (deflated 5%)
adding: hr0205doe.dll (164 bytes security) (deflated 4%)
adding: hrj8051ue.dll (164 bytes security) (deflated 4%)
adding: i2240cfqef2e0.dll (164 bytes security) (deflated 4%)
adding: ir02l5do1.dll (164 bytes security) (deflated 4%)
adding: irj0l51m1.dll (164 bytes security) (deflated 4%)
adding: j0l4la3q1d.dll (164 bytes security) (deflated 4%)
adding: jt8u07l9e.dll (164 bytes security) (deflated 4%)
adding: jtn0075me.dll (164 bytes security) (deflated 3%)
adding: k8800ilme8qa0.dll (164 bytes security) (deflated 4%)
adding: kt64l7jq1.dll (164 bytes security) (deflated 4%)
adding: ktn8l75u1.dll (164 bytes security) (deflated 4%)
adding: l4n4le5q1h.dll (164 bytes security) (deflated 4%)
adding: lv4009hme.dll (164 bytes security) (deflated 4%)
adding: lvn6095se.dll (164 bytes security) (deflated 4%)
adding: m664lgjq16oe.dll (164 bytes security) (deflated 5%)
adding: maiole16.dll (164 bytes security) (deflated 4%)
adding: mllbui.dll (164 bytes security) (deflated 4%)
adding: mnexch40.dll (164 bytes security) (deflated 5%)
adding: mvjint40.dll (164 bytes security) (deflated 4%)
adding: mvlsl9371.dll (164 bytes security) (deflated 4%)
adding: mzexcl40.dll (164 bytes security) (deflated 4%)
adding: n46qlej51ho.dll (164 bytes security) (deflated 5%)
adding: o666lgjs16o6.dll (164 bytes security) (deflated 5%)
adding: o6840glqe6qe0.dll (164 bytes security) (deflated 3%)
adding: o866lijs18o6.dll (164 bytes security) (deflated 4%)
adding: p4p60e7seh.dll (164 bytes security) (deflated 4%)
adding: pgotowiz.dll (164 bytes security) (deflated 4%)
adding: r28s0cl7efq.dll (164 bytes security) (deflated 4%)
adding: rWsman.dll (164 bytes security) (deflated 4%)
adding: slxcoins.dll (164 bytes security) (deflated 4%)
adding: wY2time.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 71%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 81%)
adding: test2.txt (164 bytes security) (deflated 49%)
adding: test3.txt (164 bytes security) (deflated 49%)
adding: test5.txt (164 bytes security) (deflated 49%)
adding: xfind.txt (164 bytes security) (deflated 75%)
adding: backregs/0B499D84-D699-4DDC-A63A-FF29B61775CD.reg (164 bytes security) (deflated 70%)
adding: backregs/0C714C3B-9F76-475D-B204-A1365A741CEC.reg (164 bytes security) (deflated 70%)
adding: backregs/1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC.reg (164 bytes security) (deflated 70%)
adding: backregs/2C892947-8FFB-45DA-8776-6A7953AA98A0.reg (164 bytes security) (deflated 70%)
adding: backregs/374099A8-519F-4F1F-AB1D-15D8C3F3E6B3.reg (164 bytes security) (deflated 70%)
adding: backregs/3A423D6D-DFD2-4198-865A-DA9479026D42.reg (164 bytes security) (deflated 70%)
adding: backregs/45B8CBF4-E951-44E9-9687-C477655BF6D9.reg (164 bytes security) (deflated 70%)
adding: backregs/4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD.reg (164 bytes security) (deflated 70%)
adding: backregs/4BE4F082-3C71-4560-994A-733E7AB4120C.reg (164 bytes security) (deflated 70%)
adding: backregs/4BF05F5D-EE45-48C0-AC42-5C3FC9F00933.reg (164 bytes security) (deflated 70%)
adding: backregs/59BAEC8E-5105-42E8-BE7A-9F09FCB803E5.reg (164 bytes security) (deflated 70%)
adding: backregs/6064822C-612D-4150-B22C-061496D8221E.reg (164 bytes security) (deflated 70%)
adding: backregs/69BC8D43-FB74-4D6F-A489-9F795DAFF9D7.reg (164 bytes security) (deflated 70%)
adding: backregs/6D470E87-8456-48C3-B227-8F956BBDE622.reg (164 bytes security) (deflated 70%)
adding: backregs/71286F54-C320-4ABA-B38A-0F1E70CDD19E.reg (164 bytes security) (deflated 70%)
adding: backregs/735F81BE-696F-487D-BE2B-4D921D041B56.reg (164 bytes security) (deflated 70%)
adding: backregs/7DB18F18-2D21-4EB5-9658-137783C6FE74.reg (164 bytes security) (deflated 70%)
adding: backregs/8AD38516-7A8D-413A-951F-7392C76AE3EB.reg (164 bytes security) (deflated 70%)
adding: backregs/90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A.reg (164 bytes security) (deflated 70%)
adding: backregs/93856640-57B3-4136-BC01-8639F8A8BADC.reg (164 bytes security) (deflated 70%)
adding: backregs/9C2A7011-8EF2-4D39-B231-C7323D3F7880.reg (164 bytes security) (deflated 70%)
adding: backregs/9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161.reg (164 bytes security) (deflated 70%)
adding: backregs/ABF62687-EF3B-4E3A-8EE7-C70D8DA64329.reg (164 bytes security) (deflated 70%)
adding: backregs/BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E.reg (164 bytes security) (deflated 70%)
adding: backregs/C111F5CF-EAA2-45C6-841E-ABF59E03F30C.reg (164 bytes security) (deflated 70%)
adding: backregs/DA77A6DF-49CE-4883-912F-FB043129F848.reg (164 bytes security) (deflated 70%)
adding: backregs/E0221FE9-4BF3-41F7-8474-2FAE7439655F.reg (164 bytes security) (deflated 70%)
adding: backregs/E3045A09-0C32-4A8E-826A-8EA03C907F3E.reg (164 bytes security) (deflated 70%)
adding: backregs/FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: cmpaige.dll
deleting local copy: cnmctl32.dll
deleting local copy: dn6001jme.dll
deleting local copy: enn6l15s1.dll
deleting local copy: f2l00c3mef.dll
deleting local copy: fpl2033oe.dll
deleting local copy: fplq0335e.dll
deleting local copy: g204lcdq1f0e.dll
deleting local copy: gp0ql3d51.dll
deleting local copy: GW2PRCFG.DLL
deleting local copy: hr0205doe.dll
deleting local copy: hrj8051ue.dll
deleting local copy: i2240cfqef2e0.dll
deleting local copy: ir02l5do1.dll
deleting local copy: irj0l51m1.dll
deleting local copy: j0l4la3q1d.dll
deleting local copy: jt8u07l9e.dll
deleting local copy: jtn0075me.dll
deleting local copy: k8800ilme8qa0.dll
deleting local copy: kt64l7jq1.dll
deleting local copy: ktn8l75u1.dll
deleting local copy: l4n4le5q1h.dll
deleting local copy: lv4009hme.dll
deleting local copy: lvn6095se.dll
deleting local copy: m664lgjq16oe.dll
deleting local copy: maiole16.dll
deleting local copy: mllbui.dll
deleting local copy: mnexch40.dll
deleting local copy: mvjint40.dll
deleting local copy: mvlsl9371.dll
deleting local copy: mzexcl40.dll
deleting local copy: n46qlej51ho.dll
deleting local copy: o666lgjs16o6.dll
deleting local copy: o6840glqe6qe0.dll
deleting local copy: o866lijs18o6.dll
deleting local copy: p4p60e7seh.dll
deleting local copy: pgotowiz.dll
deleting local copy: r28s0cl7efq.dll
deleting local copy: rWsman.dll
deleting local copy: slxcoins.dll
deleting local copy: wY2time.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cmpaige.dll
C:\WINDOWS\system32\cnmctl32.dll
C:\WINDOWS\system32\dn6001jme.dll
C:\WINDOWS\system32\enn6l15s1.dll
C:\WINDOWS\system32\f2l00c3mef.dll
C:\WINDOWS\system32\fpl2033oe.dll
C:\WINDOWS\system32\fplq0335e.dll
C:\WINDOWS\system32\g204lcdq1f0e.dll
C:\WINDOWS\system32\gp0ql3d51.dll
C:\WINDOWS\system32\GW2PRCFG.DLL
C:\WINDOWS\system32\hr0205doe.dll
C:\WINDOWS\system32\hrj8051ue.dll
C:\WINDOWS\system32\i2240cfqef2e0.dll
C:\WINDOWS\system32\ir02l5do1.dll
C:\WINDOWS\system32\irj0l51m1.dll
C:\WINDOWS\system32\j0l4la3q1d.dll
C:\WINDOWS\system32\jt8u07l9e.dll
C:\WINDOWS\system32\jtn0075me.dll
C:\WINDOWS\system32\k8800ilme8qa0.dll
C:\WINDOWS\system32\kt64l7jq1.dll
C:\WINDOWS\system32\ktn8l75u1.dll
C:\WINDOWS\system32\l4n4le5q1h.dll
C:\WINDOWS\system32\lv4009hme.dll
C:\WINDOWS\system32\lvn6095se.dll
C:\WINDOWS\system32\m664lgjq16oe.dll
C:\WINDOWS\system32\maiole16.dll
C:\WINDOWS\system32\mllbui.dll
C:\WINDOWS\system32\mnexch40.dll
C:\WINDOWS\system32\mvjint40.dll
C:\WINDOWS\system32\mvlsl9371.dll
C:\WINDOWS\system32\mzexcl40.dll
C:\WINDOWS\system32\n46qlej51ho.dll
C:\WINDOWS\system32\o666lgjs16o6.dll
C:\WINDOWS\system32\o6840glqe6qe0.dll
C:\WINDOWS\system32\o866lijs18o6.dll
C:\WINDOWS\system32\p4p60e7seh.dll
C:\WINDOWS\system32\pgotowiz.dll
C:\WINDOWS\system32\r28s0cl7efq.dll
C:\WINDOWS\system32\rWsman.dll
C:\WINDOWS\system32\slxcoins.dll
C:\WINDOWS\system32\wY2time.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{0C714C3B-9F76-475D-B204-A1365A741CEC}"=-
"{735F81BE-696F-487D-BE2B-4D921D041B56}"=-
"{ABF62687-EF3B-4E3A-8EE7-C70D8DA64329}"=-
"{93856640-57B3-4136-BC01-8639F8A8BADC}"=-
"{6D470E87-8456-48C3-B227-8F956BBDE622}"=-
"{4BE4F082-3C71-4560-994A-733E7AB4120C}"=-
"{90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A}"=-
"{FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD}"=-
"{0B499D84-D699-4DDC-A63A-FF29B61775CD}"=-
"{59BAEC8E-5105-42E8-BE7A-9F09FCB803E5}"=-
"{8AD38516-7A8D-413A-951F-7392C76AE3EB}"=-
"{374099A8-519F-4F1F-AB1D-15D8C3F3E6B3}"=-
"{2C892947-8FFB-45DA-8776-6A7953AA98A0}"=-
"{E3045A09-0C32-4A8E-826A-8EA03C907F3E}"=-
"{3A423D6D-DFD2-4198-865A-DA9479026D42}"=-
"{9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161}"=-
"{DA77A6DF-49CE-4883-912F-FB043129F848}"=-
"{9C2A7011-8EF2-4D39-B231-C7323D3F7880}"=-
"{C111F5CF-EAA2-45C6-841E-ABF59E03F30C}"=-
"{1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC}"=-
"{7DB18F18-2D21-4EB5-9658-137783C6FE74}"=-
"{4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD}"=-
"{45B8CBF4-E951-44E9-9687-C477655BF6D9}"=-
"{71286F54-C320-4ABA-B38A-0F1E70CDD19E}"=-
"{6064822C-612D-4150-B22C-061496D8221E}"=-
"{E0221FE9-4BF3-41F7-8474-2FAE7439655F}"=-
"{4BF05F5D-EE45-48C0-AC42-5C3FC9F00933}"=-
"{BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E}"=-
"{69BC8D43-FB74-4D6F-A489-9F795DAFF9D7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{0C714C3B-9F76-475D-B204-A1365A741CEC}]
[-HKEY_CLASSES_ROOT\CLSID\{735F81BE-696F-487D-BE2B-4D921D041B56}]
[-HKEY_CLASSES_ROOT\CLSID\{ABF62687-EF3B-4E3A-8EE7-C70D8DA64329}]
[-HKEY_CLASSES_ROOT\CLSID\{93856640-57B3-4136-BC01-8639F8A8BADC}]
[-HKEY_CLASSES_ROOT\CLSID\{6D470E87-8456-48C3-B227-8F956BBDE622}]
[-HKEY_CLASSES_ROOT\CLSID\{4BE4F082-3C71-4560-994A-733E7AB4120C}]
[-HKEY_CLASSES_ROOT\CLSID\{90B4A572-AD4C-4ADF-8AD4-E72BFA11D54A}]
[-HKEY_CLASSES_ROOT\CLSID\{FDEA3A51-6BE9-437F-ABBA-668EE4C74ECD}]
[-HKEY_CLASSES_ROOT\CLSID\{0B499D84-D699-4DDC-A63A-FF29B61775CD}]
[-HKEY_CLASSES_ROOT\CLSID\{59BAEC8E-5105-42E8-BE7A-9F09FCB803E5}]
[-HKEY_CLASSES_ROOT\CLSID\{8AD38516-7A8D-413A-951F-7392C76AE3EB}]
[-HKEY_CLASSES_ROOT\CLSID\{374099A8-519F-4F1F-AB1D-15D8C3F3E6B3}]
[-HKEY_CLASSES_ROOT\CLSID\{2C892947-8FFB-45DA-8776-6A7953AA98A0}]
[-HKEY_CLASSES_ROOT\CLSID\{E3045A09-0C32-4A8E-826A-8EA03C907F3E}]
[-HKEY_CLASSES_ROOT\CLSID\{3A423D6D-DFD2-4198-865A-DA9479026D42}]
[-HKEY_CLASSES_ROOT\CLSID\{9F91F4E3-2EF0-4FAD-9E9E-AC3AFDC18161}]
[-HKEY_CLASSES_ROOT\CLSID\{DA77A6DF-49CE-4883-912F-FB043129F848}]
[-HKEY_CLASSES_ROOT\CLSID\{9C2A7011-8EF2-4D39-B231-C7323D3F7880}]
[-HKEY_CLASSES_ROOT\CLSID\{C111F5CF-EAA2-45C6-841E-ABF59E03F30C}]
[-HKEY_CLASSES_ROOT\CLSID\{1F41DEC2-5BBB-427F-AAE3-68CD8FD743AC}]
[-HKEY_CLASSES_ROOT\CLSID\{7DB18F18-2D21-4EB5-9658-137783C6FE74}]
[-HKEY_CLASSES_ROOT\CLSID\{4A3DBC05-8AB2-4503-BF02-FC99DC87ACBD}]
[-HKEY_CLASSES_ROOT\CLSID\{45B8CBF4-E951-44E9-9687-C477655BF6D9}]
[-HKEY_CLASSES_ROOT\CLSID\{71286F54-C320-4ABA-B38A-0F1E70CDD19E}]
[-HKEY_CLASSES_ROOT\CLSID\{6064822C-612D-4150-B22C-061496D8221E}]
[-HKEY_CLASSES_ROOT\CLSID\{E0221FE9-4BF3-41F7-8474-2FAE7439655F}]
[-HKEY_CLASSES_ROOT\CLSID\{4BF05F5D-EE45-48C0-AC42-5C3FC9F00933}]
[-HKEY_CLASSES_ROOT\CLSID\{BDE32E3C-0084-4DB7-AB91-DD2AE88DF44E}]
[-HKEY_CLASSES_ROOT\CLSID\{69BC8D43-FB74-4D6F-A489-9F795DAFF9D7}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{61B17FA5-0CBE-4BA9-8944-7135C15ACEFA}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{61B17FA5-0CBE-4BA9-8944-7135C15ACEFA}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

In the next post I will add the hijackthis log

#6
pedroparra

Posted 23 February 2005 - 03:54 AM

Member

Topic Starter
Member
15 posts

Logfile of HijackThis v1.99.0
Scan saved at 10:26:46, on 23/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\r_server.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.invertia.es/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] C:\Archivos de programa\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = juanjimenez.local
O17 - HKLM\Software\..\Telephony: DomainName = juanjimenez.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{235C9D9F-C331-4F26-AB22-E40AEF25F293}: NameServer = 192.168.0.103,192.168.0.177,192.168.0.177
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = juanjimenez.local
O21 - SSODL: EEESzNQSq - {AC17DC34-06BD-769E-35C3-0AA89FA1F0EC} - C:\WINDOWS\System32\kadf.dll
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Servicio de registro de McAfee - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Visibroker Activation Daemon - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\oad.exe
O23 - Service: VisiBroker Smart Agent - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\osagent.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

#7
Guest_thatman_*

Posted 23 February 2005 - 04:13 AM

Guest

Hi pedroparra

Please rerun this again.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Kc :tazz:

#8
pedroparra

Posted 23 February 2005 - 09:08 AM

Member

Topic Starter
Member
15 posts

Thank you again!

Here is the l2mfix log!

L2Mfix 1.02b

Running From:
C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Todos
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 596 'explorer.exe'
Killing PID 596 'explorer.exe'
Killing PID 596 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: desktop.ini (164 bytes security) (stored 0%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 72%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

And in the next post the Hijackthis log

#9
pedroparra

Posted 23 February 2005 - 09:11 AM

Member

Topic Starter
Member
15 posts

Hijackthis log!

Logfile of HijackThis v1.99.0
Scan saved at 14:11:33, on 23/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\r_server.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
Z:\tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.invertia.es/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] C:\Archivos de programa\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = juanjimenez.local
O17 - HKLM\Software\..\Telephony: DomainName = juanjimenez.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{235C9D9F-C331-4F26-AB22-E40AEF25F293}: NameServer = 192.168.0.103,192.168.0.177,192.168.0.177
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = juanjimenez.local
O21 - SSODL: EEESzNQSq - {AC17DC34-06BD-769E-35C3-0AA89FA1F0EC} - C:\WINDOWS\System32\kadf.dll
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Servicio de registro de McAfee - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Visibroker Activation Daemon - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\oad.exe
O23 - Service: VisiBroker Smart Agent - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\osagent.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

Thank you!
For the moment Umonitor seems to have gone to another live!
You are great! :tazz:

#10
Guest_thatman_*

Posted 23 February 2005 - 11:56 PM

Guest

Hi

Hi there,

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

O15 - Trusted IP range: (HKLM)
O21 - SSODL: EEESzNQSq - {AC17DC34-06BD-769E-35C3-0AA89FA1F0EC} - C:\WINDOWS\System32\kadf.dll

Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\kadf.dll

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:

#11
pedroparra

Posted 24 February 2005 - 01:58 AM

Member

Topic Starter
Member
15 posts

Hi again, I did it and the system looks pretty clean . The computer used said that before your help the Recicle folder was not working but now it works.

Here you have HijackThis log after the last modifications:

Logfile of HijackThis v1.99.0
Scan saved at 8:43:13, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\r_server.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\HijackThis.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\userinit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.invertia.es/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] C:\Archivos de programa\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = juanjimenez.local
O17 - HKLM\Software\..\Telephony: DomainName = juanjimenez.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{235C9D9F-C331-4F26-AB22-E40AEF25F293}: NameServer = 192.168.0.103,192.168.0.177,192.168.0.177
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = juanjimenez.local
O21 - SSODL: EEESzNQSq - {AC17DC34-06BD-769E-35C3-0AA89FA1F0EC} - C:\WINDOWS\System32\kadf.dll (file missing)
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Servicio de registro de McAfee - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Visibroker Activation Daemon - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\oad.exe
O23 - Service: VisiBroker Smart Agent - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\osagent.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

Thank you

#12
Guest_thatman_*

Posted 24 February 2005 - 05:06 AM

Guest

Hi pedroparra

Close all programs down, leaving only HijackThis running.
Place a check against the following item:

O21 - SSODL: EEESzNQSq - {AC17DC34-06BD-769E-35C3-0AA89FA1F0EC} - C:\WINDOWS\System32\kadf.dll (file missing)

Click on Fix Checked and exit HijackThis.

Post a new HJT.Log just to be sure

Thanks

Kc :tazz:

#13
pedroparra

Posted 24 February 2005 - 07:10 AM

Member

Topic Starter
Member
15 posts

Here is the log

Thanks!

Logfile of HijackThis v1.99.0
Scan saved at 14:06:24, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\r_server.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
S:\Contabilidad.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jjlario.JUANJIMENEZ\Escritorio\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.invertia.es/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] C:\Archivos de programa\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Archivos de programa\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = juanjimenez.local
O17 - HKLM\Software\..\Telephony: DomainName = juanjimenez.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{235C9D9F-C331-4F26-AB22-E40AEF25F293}: NameServer = 192.168.0.103,192.168.0.177,192.168.0.177
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = juanjimenez.local
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: Servicio de registro de McAfee - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Visibroker Activation Daemon - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\oad.exe
O23 - Service: VisiBroker Smart Agent - Unknown - C:\ARCHIV~1\Borland\vbroker\bin\osagent.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

#14
Guest_thatman_*

Posted 24 February 2005 - 08:48 AM

Guest

Hi pedroparra

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :thumbsup: